Is Your Organization’s Information Safe?

Share

If you work for a company with ~50+ employees, you may start to wonder why your IT team is so busy and unable to respond to support requests more quickly. Well, not only are they chipping away at a mountain of user requests, but they're also working to safeguard the organization’s information from many threats.

To most organizations, private information is extremely valuable and must be secure. Some think, “Oh I’m safe, I have the most up-to-date anti-virus software on my laptop”, but this is a fallacious assumption. Protecting against internal / external threats, maintaining the integrity of information, and implementing control systems based on in-depth risk assessment requires a well-structured security program. This article will outline the different functional branches of a sound information security program, and perhaps shed some light on why your IT friends are so busy (and in some cases, angry).

Ideals of Information SecurityAccording to NIST (National Institute of Standards and Technology), there are 8 major concepts that any well-developed information security program will follow as guidelines. Each concept addresses a different aspect of how information security policies and controls are set in place to support overall organizational operations.

Information Security…

supports the mission of the organization

an integral element of sound management

protections are implemented so as to be commensurate with risk

roles and responsibilities are made explicit

responsibilities for system owners to go beyond their own organization

requires a comprehensive and integrated approach

is assessed and monitored regularly

is constrained by societal and cultural factors

A common theme can be found throughout these guidelines, a need for customization. Each program must consider threats & vulnerabilities specific to the work (field) of the organization it is designed to support.

Basic Comparison

Threats

In the world of Information Technology & Security, there exists a plethora of variable threats. For this reason, it is important to identify and understand which threats exist in your organization’s realm. A few of many possible threats to information security are explained below:

Fraud and Theft – Can be committed by insiders and outsiders, often motivated by financial gain, hence often targeting financial systems. Often applied through social media, automating traditional (advertising) fraud methods, or more advanced intrusion methods.

Insider Threat – Rogue employees that intend to sabotage their organization pose a serious threat to information security. Methods often include crashing systems, planting malicious code, as well as holding/deleting/falsifying data.

Information Security PolicyAccording to NIST SP 800-95, policies are “statements, rules or assertions that specify the correct or expected behavior of an entity”. In terms of information security, policies can have multiple meanings or roles, so to speak. Policies may range from access control rules for software components to managerial decisions that back an organization’s user policies, such as email privacy or access security. With the need for implementation of these policies, comes a need for a hierarchy of roles and responsibilities within a security program (this is further explained in the referenced NIST article). Overall, information security policies provide the framework and guidance for the program.

Information Security Risk Assessment/Management

One of the most crucial aspects of information security, risk assessment/management allows the program to be customized based on specific threats to the organization at hand. A company with invaluable information to protect, such as a federal organization, will perform an in-depth risk assessment to assure every threat is considered, monitored & controlled at virtually any monetary cost. Looking at it another way, you aren’t going to spend thousands of dollars on advanced anti-theft software unless you have thousands more in assets to protect. The NIST provides a diagram of their procedure for organization-wide risk management below:

Security System Support

As with any organizational system, support and maintenance is crucial when it comes to an information security system. This involves a variety of controls that need to be managed by our IT friends, such as user/software support, configuration management, backups, documentation, risk monitoring, and overall maintenance.

Cryptography

Encryption is a tool for information security developed from an underlying branch of mathematics called, Cryptography. These mathematical algorithms, designed for the transformation of data, are extremely useful in protection of information. Some examples of encryption/cryptography commonly utilized in information security include:

Data Encryption

Electronic Signatures

Integrity (assuring non-alteration of original data)

User Authentication

Control Families

Possibly the most important of all tools for information security are control families. FIPS 200 from the NIST specifies minimum security control requirements in multiple areas (for federal organizations). Various security control families that address management, operational, and technical aspects can be found listed below. For more controls and detailed descriptions, refer to NIST SP 800-53.

Access Control (AC)

Awareness & Training (AT)

Audits / Accountability (AU)

Assessment, Authorization, & Monitoring (CA)

Configuration Management (CM)

Contingency Planning (CP)

Identification & Authentication (IA)

Individual Participation (IP)

Incident Response (IR)

Maintenance (MA)

Media Protection (MP)

Privacy Authorization (PA)

Physical and Environmental Protection (PE)

Planning (PL)

Program Management (PM)

Personnel Security (PS)

Risk Assessment (RA)

System & Services Acquisition (SA)

System & Communications Protection (SC)

System & Information Integrity (SI)

Controls are variably important and serve at different levels of an organization’s information security program. An example hierarchy of information security controls is displayed in the pyramid below:

A Group Effort

Maintaining the security and integrity of your organization’s information is a group effort shared by all users and support staff. Developing a strong information security program involves constructing/complying with policies, clearly defining roles & responsibilities, meticulous risk management, and implementing proper security controls. So just remember, not only is your IT team dealing with the day-to-day support requests, but also serving as the organization’s main defense against threats to information by building & managing a sound security program.

For a more detailed description of threats, check out the NIST document referenced by this article.